Enabling audit in 6.3.0 writes to <cluster>.log not to <cluster>_access.log

JohanRask · August 14, 2018, 11:15am

Hi,
we have re-enabled audit on our elasticsearch cluster, we had it disabled for a while. The documentation says that there should be a specific audit file <cluster>_access.log and I am pretty sure that we have seen that in previous versions.

However, in 6.3.0 there is no such file created, instead I can see the information in the <cluster>.log file.
The security_audit index is created properly.

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]

I have also tried to remove the outputs section but that did not help.

This is a line from our <cluster>.log file and this seems to be the info that should be in the
<cluster>_access.log?

[2018-08-14T13:03:40.455+0200][INFO ][o.e.x.s.a.l.LoggingAuditTrail] [the_host] [transport] [access_granted] origin_type=[rest], origin_address=[10.133.225.24], principal=[remote_monitor], realm=[native], roles=[remote_monitoring_agent], action=[indices:data/write/bulk[s]], indices=[.monitoring-logstash-6-2018.08.14,.monitoring-logstash-6-2018.08.14], request=[BulkShardRequest]

Any input on this?

Regards /Johan

Albert_Zaharovits · August 14, 2018, 11:39am

Hi @JohanRask

By default the <cluster>_access.log should be created in 6.3 as well.
The audit log, as well as all the other logs, are implemented with log4j2.
I think you might have tinkered with the config/log4j2.properties file.
Here is an excerpt of the relevant part in a newly downloaded ES 6.3.2


appender.audit_rolling.type = RollingFile
appender.audit_rolling.name = audit_rolling
appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
appender.audit_rolling.layout.type = PatternLayout
appender.audit_rolling.layout.pattern = [%d{ISO8601}] %m%n
appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
appender.audit_rolling.policies.type = Policies
appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.audit_rolling.policies.time.interval = 1
appender.audit_rolling.policies.time.modulate = true

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false

I hope you can spot the issue from here.
Let me know if you solved it!

JohanRask · August 14, 2018, 11:57am

Yes, you are so right!
We have a modified version that did not even include the audit things, guess it was before x-pack was part of the default download. We have been forced to modify the timestamp format (long story...).

Thanks for the quick answer!

Regards /Johan

system · September 11, 2018, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.